autoworkflow 3.6.0 → 3.7.0

package/.claude/hooks/pre-edit.sh

@@ -1,10 +1,14 @@
 #!/bin/bash
-# AutoWorkflow Pre-Edit Hook
+# AutoWorkflow Pre-Edit Hook (v3.7.0 - Fail-Closed Design)
 # Runs on: PreToolUse for Write/Edit tools
-# Purpose: Enforce plan approval before implementation
+# Purpose: BLOCK edits by default unless workflow state is properly set
 #
-# This hook implements the plan_approval_gate enforcement
-# It BLOCKS Write/Edit operations if plan hasn't been approved
+# DESIGN PRINCIPLE: Fail-closed
+# - If state is not initialized → BLOCK (auto-init as feature)
+# - If plan not approved → BLOCK
+# - If suggestions not shown (feature tasks) → BLOCK
+# - If multiple edits per turn → BLOCK
+# - Only allow edit if ALL checks pass
 
 # Colors
 RED='\033[0;31m'
@@ -24,14 +28,43 @@ TASK_TYPE_FILE="$STATE_DIR/task-type"
 PLAN_APPROVED_FILE="$STATE_DIR/plan-approved"
 SUGGESTIONS_SHOWN_FILE="$STATE_DIR/suggestions-shown"
 CURRENT_TURN_EDITS_FILE="$STATE_DIR/current-turn-edits"
-SELECTED_ITEMS_FILE="$STATE_DIR/selected-items"
+WORKFLOW_INITIALIZED_FILE="$STATE_DIR/workflow-initialized"
+
+# Auto-initialize workflow state with safe defaults
+auto_init_state() {
+    mkdir -p "$STATE_DIR"
+
+    # Set safe defaults - assume feature task (strictest)
+    echo "feature" > "$TASK_TYPE_FILE"
+    echo "IMPLEMENT" > "$PHASE_FILE"
+    echo "false" > "$PLAN_APPROVED_FILE"
+    echo "false" > "$SUGGESTIONS_SHOWN_FILE"
+    echo "0" > "$CURRENT_TURN_EDITS_FILE"
+    echo "true" > "$WORKFLOW_INITIALIZED_FILE"
+
+    echo ""
+    echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+    echo -e "${CYAN}${BOLD}📋 AUTOWORKFLOW: STATE INITIALIZED${NC}"
+    echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+    echo ""
+    echo "Workflow state auto-initialized with safe defaults:"
+    echo "  Task type:        feature (strictest)"
+    echo "  Plan approved:    false"
+    echo "  Suggestions shown: false"
+    echo ""
+}
+
+# Check if workflow is initialized
+is_workflow_initialized() {
+    [ -d "$STATE_DIR" ] && [ -f "$WORKFLOW_INITIALIZED_FILE" ]
+}
 
 # Get current phase
 get_phase() {
     if [ -f "$PHASE_FILE" ]; then
         cat "$PHASE_FILE"
     else
-        echo "IDLE"
+        echo "UNKNOWN"
     fi
 }
 
@@ -40,7 +73,7 @@ get_task_type() {
     if [ -f "$TASK_TYPE_FILE" ]; then
         cat "$TASK_TYPE_FILE"
     else
-        echo "unknown"
+        echo "feature"  # Default to strictest
     fi
 }
 
@@ -53,7 +86,7 @@ is_plan_approved() {
     return 1
 }
 
-# Check if suggestions were shown (for feature tasks)
+# Check if suggestions were shown
 suggestions_shown() {
     if [ -f "$SUGGESTIONS_SHOWN_FILE" ]; then
         local status=$(cat "$SUGGESTIONS_SHOWN_FILE")
@@ -79,142 +112,182 @@ increment_turn_edits() {
     echo "$next"
 }
 
-# Check if user has selected items to implement
-has_selected_items() {
-    if [ -f "$SELECTED_ITEMS_FILE" ]; then
-        local content=$(cat "$SELECTED_ITEMS_FILE")
-        [ -n "$content" ] && return 0
-    fi
-    return 1
-}
-
-# Check if task type requires approval
-requires_approval() {
+# Check if task type requires strict workflow
+requires_strict_workflow() {
     local task_type="$1"
     case "$task_type" in
-        # These task types require plan approval
+        # Strict workflow required
         feature|fix|refactor|perf|security|test)
             return 0
             ;;
-        # These can proceed without explicit approval
-        docs|style|config|query)
+        # Relaxed workflow
+        docs|style|config)
             return 1
             ;;
-        # Unknown defaults to requiring approval
+        # Unknown = strict
         *)
             return 0
             ;;
     esac
 }
 
-# Main check
-main() {
-    local phase=$(get_phase)
-    local task_type=$(get_task_type)
+# GATE 1: Plan Approval Check
+check_plan_approval() {
+    local task_type="$1"
 
-    # Skip check if no task is active
-    if [ "$phase" = "IDLE" ]; then
-        exit 0
+    if ! requires_strict_workflow "$task_type"; then
+        return 0  # Pass for relaxed task types
     fi
 
-    # Skip check for task types that don't require approval
-    if ! requires_approval "$task_type"; then
-        exit 0
+    if ! is_plan_approved; then
+        echo ""
+        echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+        echo -e "${RED}${BOLD}⛔ GATE 1: PLAN APPROVAL REQUIRED${NC}"
+        echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+        echo ""
+        echo -e "${CYAN}Task Type:${NC}     $task_type"
+        echo -e "${CYAN}Plan Approved:${NC} NO"
+        echo ""
+        echo "You MUST get user approval before making any edits."
+        echo ""
+        echo -e "${BOLD}Required steps:${NC}"
+        echo "  1. Analyze the codebase"
+        echo "  2. Present your plan to the user"
+        echo "  3. Wait for explicit approval (yes/proceed/approved)"
+        echo "  4. THEN implement"
+        echo ""
+        echo -e "${DIM}To mark approved: echo 'true' > $PLAN_APPROVED_FILE${NC}"
+        echo ""
+        echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+        echo ""
+        return 1
     fi
+    return 0
+}
 
-    # Skip check if already in IMPLEMENT or later phases
-    case "$phase" in
-        IMPLEMENT|VERIFY|FIX|AUDIT|PRE_COMMIT|COMMIT|UPDATE)
-            # Already past approval, allow edits
-            exit 0
-            ;;
-    esac
+# GATE 2: Suggestions Check (for feature tasks)
+check_suggestions() {
+    local task_type="$1"
+
+    # Only enforce for feature tasks
+    if [ "$task_type" != "feature" ]; then
+        return 0
+    fi
+
+    if ! suggestions_shown; then
+        echo ""
+        echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+        echo -e "${RED}${BOLD}⛔ GATE 2: SUGGESTIONS REQUIRED${NC}"
+        echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+        echo ""
+        echo -e "${CYAN}Task Type:${NC} feature"
+        echo ""
+        echo "For feature tasks, you MUST show 3-tier suggestions FIRST:"
+        echo ""
+        echo "  🔴 Required     - Must implement"
+        echo "  🟡 Recommended  - Should implement"
+        echo "  🟢 Optional     - Nice to have"
+        echo ""
+        echo "Show suggestions, let user select, THEN implement ONE at a time."
+        echo ""
+        echo -e "${DIM}To mark shown: echo 'true' > $SUGGESTIONS_SHOWN_FILE${NC}"
+        echo ""
+        echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+        echo ""
+        return 1
+    fi
+    return 0
+}
+
+# GATE 3: One Edit Per Turn Check (applies to ALL implementation)
+check_one_edit_per_turn() {
+    local task_type="$1"
 
-    # Check if we're in a pre-approval phase
-    if [ "$phase" = "ANALYZE" ] || [ "$phase" = "PLAN" ]; then
-        if ! is_plan_approved; then
-            echo ""
-            echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
-            echo -e "${RED}${BOLD}⛔ AUTOWORKFLOW: PLAN APPROVAL REQUIRED${NC}"
-            echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
-            echo ""
-            echo -e "${CYAN}Current Phase:${NC} $phase"
-            echo -e "${CYAN}Task Type:${NC}    $task_type"
-            echo -e "${CYAN}Plan Approved:${NC} NO"
-            echo ""
-            echo "Cannot edit files before plan approval."
-            echo ""
-            echo -e "${BOLD}Required workflow:${NC}"
-            echo "  1. Complete ANALYZE phase (read relevant files)"
-            echo "  2. Present PLAN with suggestions"
-            echo "  3. Wait for user approval"
-            echo "  4. THEN implement"
-            echo ""
-            echo -e "${DIM}To approve, user must say: yes, proceed, approved, go ahead${NC}"
-            echo ""
-            echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
-            echo ""
-
-            # Exit with error to BLOCK the edit
-            exit 1
-        fi
+    if ! requires_strict_workflow "$task_type"; then
+        return 0  # Pass for relaxed task types
     fi
 
-    # CHECK: Suggestions must be shown for feature tasks before implementing
-    if [ "$task_type" = "feature" ] && [ "$phase" = "IMPLEMENT" ]; then
-        if ! suggestions_shown; then
-            echo ""
-            echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
-            echo -e "${RED}${BOLD}⛔ AUTOWORKFLOW: SUGGESTIONS REQUIRED${NC}"
-            echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
-            echo ""
-            echo -e "${CYAN}Task Type:${NC} feature"
-            echo ""
-            echo "For feature tasks, you MUST show 3-tier suggestions first:"
-            echo ""
-            echo "  🔴 Required    - Must implement"
-            echo "  🟡 Recommended - Should implement"
-            echo "  🟢 Optional    - Nice to have"
-            echo ""
-            echo "Show suggestions, let user select items, THEN implement."
-            echo ""
-            echo -e "${DIM}To mark suggestions shown: echo 'true' > $SUGGESTIONS_SHOWN_FILE${NC}"
-            echo ""
-            echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
-            echo ""
-            exit 1
-        fi
+    local edit_count=$(get_turn_edit_count)
+
+    if [ "$edit_count" -ge 1 ]; then
+        echo ""
+        echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+        echo -e "${YELLOW}${BOLD}⛔ GATE 3: ONE EDIT PER TURN${NC}"
+        echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+        echo ""
+        echo -e "${CYAN}Edits this turn:${NC} $edit_count"
+        echo ""
+        echo "You can only make ONE edit per user turn."
+        echo ""
+        echo "This ensures:"
+        echo "  1. Easier to track changes"
+        echo "  2. Errors caught early"
+        echo "  3. User can review incrementally"
+        echo ""
+        echo "Wait for user's next message before making another edit."
+        echo ""
+        echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+        echo ""
+        return 1
     fi
 
-    # CHECK: One fix at a time (max 1 edit per turn in FIX phase)
-    if [ "$phase" = "FIX" ]; then
-        local edit_count=$(get_turn_edit_count)
-        if [ "$edit_count" -ge 1 ]; then
-            echo ""
-            echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
-            echo -e "${YELLOW}${BOLD}⚠ AUTOWORKFLOW: ONE FIX AT A TIME${NC}"
-            echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
-            echo ""
-            echo -e "${CYAN}Edits this turn:${NC} $edit_count"
-            echo ""
-            echo "Fix ONE issue at a time, then verify."
-            echo ""
-            echo "This ensures:"
-            echo "  1. Easier to track what changed"
-            echo "  2. Errors caught early"
-            echo "  3. User can review incrementally"
-            echo ""
-            echo "Wait for verification to complete before next fix."
-            echo ""
-            echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
-            echo ""
-            exit 1
-        fi
-        # Track this edit
-        increment_turn_edits > /dev/null
+    return 0
+}
+
+# Main execution
+main() {
+    # STEP 1: Check if workflow is initialized
+    if ! is_workflow_initialized; then
+        # Auto-initialize with safe defaults
+        auto_init_state
+
+        # After init, BLOCK this edit attempt
+        echo ""
+        echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+        echo -e "${RED}${BOLD}⛔ AUTOWORKFLOW: EDIT BLOCKED${NC}"
+        echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+        echo ""
+        echo "Workflow just initialized. Cannot edit yet."
+        echo ""
+        echo "You must first:"
+        echo "  1. Show your analysis/plan to the user"
+        echo "  2. Get user approval"
+        echo "  3. For features: Show 3-tier suggestions"
+        echo "  4. THEN implement one fix at a time"
+        echo ""
+        echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+        echo ""
+        exit 1
     fi
 
-    # All checks passed, allow edit
+    # Get current state
+    local task_type=$(get_task_type)
+    local phase=$(get_phase)
+
+    # STEP 2: Run all gates
+
+    # GATE 1: Plan Approval
+    if ! check_plan_approval "$task_type"; then
+        exit 1
+    fi
+
+    # GATE 2: Suggestions (feature tasks only)
+    if ! check_suggestions "$task_type"; then
+        exit 1
+    fi
+
+    # GATE 3: One Edit Per Turn
+    if ! check_one_edit_per_turn "$task_type"; then
+        exit 1
+    fi
+
+    # ALL GATES PASSED - Allow edit and track it
+    increment_turn_edits > /dev/null
+
+    echo ""
+    echo -e "${GREEN}✓${NC} Edit allowed (turn edit #$(get_turn_edit_count))"
+    echo ""
+
     exit 0
 }
 

package/.claude/settings.local.json

@@ -15,7 +15,8 @@
       "Bash(unzip:*)",
       "Bash(node:*)",
       "Bash(echo:*)",
-      "Bash(ls:*)"
+      "Bash(ls:*)",
+      "Bash(npm view:*)"
     ]
   }
 }

package/README.md

@@ -2,7 +2,7 @@
 
 > Automated workflow enforcement for Claude Code via hooks and system prompts.
 
-**v3.6.0** - Multi-language support, one-fix-at-a-time enforcement, suggestions gate.
+**v3.7.0** - Fail-closed enforcement: BLOCKS edits by default unless all gates pass.
 
 When you use Claude Code with AutoWorkflow, hooks automatically enforce workflow phases, block unauthorized edits, and guide Claude through a structured process for all coding tasks.
 
@@ -21,6 +21,35 @@ Options:
 
 ---
 
+## What's New in v3.7.0
+
+### Fail-Closed Enforcement Design
+Previous versions "failed open" - if state wasn't set, edits were allowed. v3.7.0 "fails closed":
+
+| Scenario | Before (v3.6) | After (v3.7) |
+|----------|---------------|--------------|
+| No workflow state | ✅ Allowed | ⛔ BLOCKED |
+| Plan not approved | ⛔ Blocked (in PLAN phase only) | ⛔ BLOCKED (always) |
+| No suggestions shown | ⛔ Blocked (in IMPLEMENT only) | ⛔ BLOCKED (always for features) |
+| Multiple edits/turn | ⛔ Blocked (in FIX only) | ⛔ BLOCKED (always) |
+
+### Auto-Initialization with Safe Defaults
+When Claude attempts the first edit without workflow state:
+1. Auto-creates state with `task-type: feature` (strictest)
+2. Sets `plan-approved: false`
+3. Sets `suggestions-shown: false`
+4. **BLOCKS the edit** immediately
+5. Claude must show plan/suggestions first, get approval, then try again
+
+### Three Gates (All Must Pass)
+```
+GATE 1: Plan Approval     → Must have user approval
+GATE 2: Suggestions       → Must show 3-tier suggestions (features)
+GATE 3: One Edit/Turn     → Max 1 edit per user message
+```
+
+---
+
 ## What's New in v3.6.0
 
 ### Multi-Language Project Support
@@ -88,10 +117,11 @@ guardrails:
 ┌─────────────────────────────────────────────────────────────┐
 │                    HOOKS (Automatic)                         │
 │                                                              │
-│  UserPromptSubmit  →  session-check.sh (resume, blueprint)  │
-│  PreToolUse        →  pre-edit.sh (BLOCKS without approval) │
+│  UserPromptSubmit  →  session-check.sh (resume, turn reset) │
+│  PreToolUse        →  pre-edit.sh (3 gates: approval,       │
+│                       suggestions, one-fix-at-a-time)       │
 │  PreToolUse        →  pre-commit-check.sh (BLOCKS bad code) │
-│  PostToolUse       →  post-edit.sh (verification loop)      │
+│  PostToolUse       →  post-edit.sh (multi-lang verify)      │
 │  PostToolUse       →  post-commit.sh (BLUEPRINT reminder)   │
 │                                                              │
 │  Hooks ENFORCE workflow - they physically block actions     │
@@ -140,22 +170,26 @@ ANALYZE → PLAN → CONFIRM → IMPLEMENT → VERIFY → AUDIT → COMMIT → U
 
 | Hook | Trigger | Action |
 |------|---------|--------|
-| `session-check.sh` | Every user message | Resume previous session, check BLUEPRINT.md |
-| `pre-edit.sh` | Before Write/Edit | **BLOCK if plan not approved** |
-| `post-edit.sh` | After Write/Edit | Run verification loop (max 10 iterations) |
+| `session-check.sh` | Every user message | Resume session, reset turn counter |
+| `pre-edit.sh` | Before Write/Edit | **BLOCK** if: no approval, no suggestions, or multiple fixes |
+| `post-edit.sh` | After Write/Edit | Detect project type, run verification |
 | `pre-commit-check.sh` | Before git commit | **BLOCK if TODO/console.log/errors** |
 | `post-commit.sh` | After git commit | Remind to update BLUEPRINT.md |
 
 ---
 
-## Blocking Gates
+## Blocking Gates (Fail-Closed)
+
+| Gate | Blocks If | Applies To |
+|------|-----------|------------|
+| **State Init** | No workflow state exists | ALL tasks |
+| **Plan Approval** | User hasn't approved | feature, fix, refactor, perf, security, test |
+| **Suggestions** | 3-tier suggestions not shown | feature tasks |
+| **One Edit/Turn** | Already edited this turn | feature, fix, refactor, perf, security, test |
+| **Verify** | Language-specific errors | ALL (post-edit) |
+| **Pre-Commit** | TODO/FIXME, console.log | ALL commits |
 
-| Gate | Blocks If | Enforced By |
-|------|-----------|-------------|
-| Plan Approval | User hasn't approved the plan | `pre-edit.sh` (exit 1) |
-| Verify | TypeScript or ESLint errors exist | `post-edit.sh` loop |
-| Audit | Orphan features or circular dependencies | Required before commit |
-| Pre-Commit | TODO/FIXME, console.log, bad format | `pre-commit-check.sh` (exit 1) |
+**Design:** All gates are checked on EVERY edit. Unknown state = strictest defaults.
 
 ---
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "autoworkflow",
-  "version": "3.6.0",
+  "version": "3.7.0",
   "description": "Automated workflow enforcement for Claude Code via hooks and system prompts",
   "type": "module",
   "bin": {